Security

Microsoft Patches DWM Zero-Day: CVE‑2026‑20805 Exposed

Krishn patel

Krishn patel

2 min read
Microsoft DWM Zero‑Day CVE‑2026‑20805 Patch
Patch DWM Now
  • Key Takeaways:
  • Microsoft fixed a DWM information-disclosure zero-day (CVE-2026-20805) on Patch Tuesday, Jan. 13, 2026.
  • The bug allows low-privilege local attackers to leak user-mode memory via remote ALPC ports; MSTIC/MSRC confirmed exploitation in the wild.
  • CVSS v3.1 score 5.5 (Important); not remotely exploitable, but easy to trigger — patch legacy Windows builds immediately.
  • Apply Microsoft KB updates for affected Windows 10/Server releases and monitor DWM with EDR tools; restrict low-privilege local accounts.

Overview

Microsoft released a security update on January 13, 2026, addressing an information-disclosure zero-day in the Desktop Window Manager (DWM). The issue, tracked as CVE-2026-20805, was reported as being exploited in the wild and was included in the monthly Patch Tuesday rollup.

Technical details

CVE-2026-20805 is an information-disclosure flaw that allows low-privilege local attackers to obtain sensitive user-mode memory, including section addresses. The vulnerability is triggered via remote ALPC (Advanced Local Procedure Call) ports used by DWM.

Why this matters

Leaked memory addresses can reveal pointers and process layout, aiding attackers in bypassing address-space layout randomization (ASLR) and facilitating follow-on privilege escalation. Although Microsoft rated the flaw as "Important" with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), its low complexity and lack of required user interaction make it an attractive post-compromise tool for malware operators.

Affected systems and patches

The vulnerability primarily affects older Windows builds still receiving updates under extended support. Microsoft has published KB updates for each affected platform; administrators should prioritize these patches.

Notable updates include:

  • Windows 10 v1809 (x86/x64) — KB5073723
  • Windows Server 2012 R2 — KB5073696
  • Windows Server 2012 — KB5073698
  • Windows Server 2016 — KB5073722

For full lifecycle and package details, consult the Microsoft Security Response Center (MSRC) advisory for CVE-2026-20805.

Mitigation and detection

Immediate mitigation: deploy the provided KB updates across affected systems. If you cannot patch right away, restrict or disable low-privilege local accounts and limit access to systems where local access is possible.

Detection: monitor DWM processes and ALPC activity with endpoint detection and response (EDR) tools. Look for unusual inter-process communication or attempts to enumerate memory sections, and review logs for post-compromise behaviors consistent with privilege escalation chains.

Microsoft Threat Intelligence Center (MSTIC) and MSRC confirmed observed exploitation but noted no public proof-of-concept is available at this time. Organizations running unsupported or legacy builds face elevated risk and should accelerate remediation.

Keeping legacy Windows components updated and monitoring DWM activity reduces the window of opportunity for attackers to use information-disclosure bugs like CVE-2026-20805 as a stepping stone in complex intrusions.

Read more